Tools Used

  1. IDA Pro


  1. Lab14-03.exe SHA256: a00c3277d9e56864d615441f41d5405216c1130107067094643a268b944b9c71


  • Detection Rate: 20/53
  • Analyzed on 2016-03-18
  • Compilation Date: 2011-08-22 05:08:27
  • View report here

Lab 14-3
This lab builds on Lab 14-1. Imagine that this malware is an attempt by
the attacker to improve his techniques. Analyze the malware found in file
1. What hard-coded elements are used in the initial beacon? What elements,
if any, would make a good signature?

From the figure below, we can see hard-coded user-agent and headers (Acccept, Accept-Language, Accept-Encoding, and a unique UA-CPU field). All of these can be used as a signature especially the UA-CPU field. It is also noted that the author pass the string “User-Agent: xxx” into InternetOpenA API call. This results in User-Agent field being set to User-Agent:User-Agent:xxx… A duplicate error in which we can used it to generate a good signature too.

Figure 1. HTTP Headers

2. What elements of the initial beacon may not be conducive to a longlasting

In the subroutine @0x401457, we can see that the url “” is being set as the beacon destination. However that is provided that “c:\\autobat.exe” does not exists, if it exists, the contents will be read and parsed as the beacon destination instead. Using “” as a signature might not be a good idea since an attacker might be able to change the beacon destination.

Figure 2. autobat.exe

3. How does the malware obtain commands? What example from the
chapter used a similar methodology? What are the advantages of this

The malware scan the response for a <noscript> tag. The text after the tag is the command to execute. The advantage of using this technique is that it is hiding the commands in plain sight that blends in the returned html page. Therefore making detection hard for defender.

Figure 3. <noscript>

4. When the malware receives input, what checks are performed on the
input to determine whether it is a valid command? How does the
attacker hide the list of commands the malware is searching for?

Analyzing subroutine @00401000 & 0x00401684. The checks are as follows

  1. starts with <noscript>
  2. url exists after <noscript>
  3. url ends with “69′”
  4. commands must be in the form of /command/parameter

The attacker hides the commands by using only the first character to switch between predefined commands. Therefore he can use different words to represent same command so long as the first character matches in the switch.

5. What type of encoding is used for command arguments? How is it different
from Base64, and what advantages or disadvantages does it offer?

The malware divides the parameters by 2 characters. Each 2 characters are passed to atoi function to convert it to integer. It then references the following string to get the exact character it represents.

Figure 4. Decode string


It is a custom encoding technique thus not easily detected by existing tools


It is pretty simple to reverse.

6. What commands are available to this malware?

Command Description
d  Download & Execute
n  Exit
s  Sleep
r  Write autobat.exe

7. What is the purpose of this malware?

The malware serves as a backdoor by downloading and execute new codes on the victim’s machine via http request. It can also rewrite the config file “autobat.exe” to let it connect to a different C2 Server.

8. This chapter introduced the idea of targeting different areas of code
with independent signatures (where possible) in order to add resiliency
to network indicators. What are some distinct areas of code or configuration
data that can be targeted by network signatures?

  1.  “;
  2. Any new url found in “c:\\autobat.exe”
  3. Headers such as UA-CPU and User Agent (duplicated User-Agent)
  4. http response contains <noscript>[url][69′]

9. What set of signatures should be used for this malware?

refer to question 8.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s